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Abstract 



The way entanglement influences the power of quantum and classical multi-prover in- 
teractive proof systems is a long-standing open question. We show that the class of lan- 
guages recognized by quantum multi-prover interactive proof systems, QMIP, is equal 
to MIP*, the class of languages recognized by classical multi-prover interactive proof sys- 
tems where the provers share entanglement. After the recent result by Jain, Ji, Upad- 
hyay and Watrous showing that QIP = IP, our work completes the picture from the ver- 
ifier's perspective by showing that also in the setting of multiple provers with shared en- 
tanglement, a quantum verifier is no more powerful than a classical one: QMIP = MIP*. 
Our techniques are based on the adaptation of universal blind quantum computation (a 
protocol recently introduced by us) to the context of interactive proof systems. We show 
that in the multi-prover scenario, shared entanglement has a positive effect in removing 
the need for a quantum verifier. As a consequence, our results show that the entire 
power of quantum information in multi-prover interactive proof systems is captured by 
the shared entanglement and not by the quantum communication. 
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1 Introduction and Related work 

An interactive proof system |GMR89] IBab85| consists of an interaction between a computationally 
unbounded prover and a computationally bounded probabilistic verifier. The prover attempts to 
convince the verifier that a given input string satisfies some property, while the verifier tries to 
determine the validity of this proof. A language L is said to have an interactive proof system if 
there exists a randomized polynomial-time verifier V such that an honest prover can, with high 
probability, convince V to accept when the given input is in L (completeness), and no prover can 
convince V to accept with high probability when the input is not in L (soundness). The class of 
languages having interactive proof systems is denoted IP. Multi- prover interactive proofs (MIP), 
first proposed in [BOGKW88J , are the generalization of interactive proofs to the multi- prover sce- 
nario. It was shown in |BFL9H IFRS94j that MIP = NEX P, paving the w ay to impo rtant results in 
inapproximability and probabilistically checkable proofs [FGL"'"96 , IAS98| IaLM"'"98] . 



The quantum analogue of interactive proofs, quantum interactive proofs (QIP), were first intro- 
duced by Watrous |Wat99| : they involve a computationally unbounded prover exchanging quantum 
messages with a polynomially bounded quantum verifier. Using the powerful techniques of captur- 
ing the computational power of quantum interactive proofs by semi-definite programming (SDP), 
Kitaev and Watrous showed [KWOOj that IP C QIP = QIP(3) C EXP (where QIP(A;) denotes 
a fc- message quantum interactive proof). Recently, by employing an efficient parallel algorithm 
for SDP, Jain, Ji, Upadhyay and Watrous |JJUW09] solved a long-standing open problem on the 
power of quantum interactive proof systems by showing that QIP is contained in PSPACE (since 
IP = PSPACE ILFKN 90. Sha90i it follows that QIP = IP); this work builds on a previous result 
that QIP(2) C PSPACE [ JUW09J . We therefore conclude that quantum information adds no power 
to the single- prover interactive proof scenario. The corresponding question regarding the power of 
multi-prover quantum interactive proof systems where the provers share prior entanglement but 
otherwise cannot communicate, however, remains open. 

Quantum interactive proofs with multiple provers (QMIP) were introduced by Kobayashi and 
Matsumoto |KM03| . where they proved that in the case where provers share no entanglement, 
QMIP(u.e.) = MIP and moreover when the provers share at most polynomially many entangled 
qubits, QMIP(i(5 ) C NEXP. Several papers have already analyzed both negative and positive as- 
pects of sharing entanglement in the context of interactive proofs with multiple provers involving 
a quantum verifier (QMIP) or a classical verifier (MIP*) |CHTW04l [KKMVOSi IKVOG] and yet the 
question of how entanglement infiuences the power of such proof systems has not been answered: 
since entanglement can potentially increase both the completeness and soundness error, it is not 
even clear whether the expressive power of either QMIP or MIP* is a subset or superset of, or is 
incomparable to NEXP. 

Hence one could hope for a breakthrough using fresh techniques for a full understanding of the 
expressive power of quantum multi-prover interactive proofs with provers sharing an unlimited 
amount of entanglement. This paper presents a step forward in this direction: based on a novel 
approach connecting a cryptographic protocol with interactive proof systems, we show that a quan- 
tum verifier is no more powerful than a classical verifier even in the multi-party scenario, and hence 
that QMIP = MIP*. 

2 Summary of Contributions and Techniques 

Recently Jain, Ji, Upadhyay and Watrous |JJUW09] obtained the surprising result that quantum 
interactive proof systems and classical interactive proof systems have equivalent expressive power, 
proving that QIP = IP. Using a different approach based on a cryptographic protocol, we prove the 
analogue of this result in the context of multiple provers with shared entanglement, to demonstrate 
that quantum computing adds no power to interactive proof systems even with multiple provers: 
QMIP = MIP*. More precisely, we show that for any number k of provers, QMIP [A;] = MIP*[/c] 
(the case k = 1 following from [JJUW09]). Our proof is heavily based on the usage of shared 
entanglement which can be seen as another positive aspect of shared entanglement in the multi- 
prover scenario. 

Our techniques are based on the adaptation of universal blind quantum computation |BFK09| 
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(a protocol recently introduced by us) to the context of interactive proof systems. We have al- 
ready used this method to show that any language in BQP has an entangled two-prover interactive 
proof system requiring a verifier performing only randomized polynomial-time classical computa- 
tion and provers performing polynomial-time quantum computation. Similarly, we show in this 
work how to use the shared entanglement between computationally unbounded provers to reduce 
the requirement of the verifier in a multi-prover quantum interactive proof system to purely clas- 
sical computation, without reducing the expressive power of the interactive proof system. The 
connection between interactive proof system and blind quantum computation was first studied by 
Aharonov, Ben-Or and Eban |ABE10| . however it remains an open question whether their setting 
can yield a multi-prover interactive proof system with a purely classical verifier, which is what we 
require for our construction. 

Informally speaking, a protocol V for a language L in QMIP consists of several rounds where the 
verifier receives a quantum message from each prover which she processes to generate the next set of 
quantum messages to be sent to the provers. One can use the blind quantum computation protocol 
between the verifier and entangled provers to remove this need for the verifier to exchange and 
process quantum information with the provers. In order to run a quantum circuit, she enlists the 
help of two entangle d provers. Pi and P2- Pi first receives authenticated and encrypted quantum 
messages teleported jBBC"'"93| from the other provers (the special case of authenticating Pi's own 
message is also covered), and then the two-server blind quantum computation protocol is executed 
with Pi and P2, so that Pi eventually computes the next set of messages. These messages are re- 
distributed (via teleportation) to all other provers, with the help of whom the verifier then verifies 
the authenticity of the messages. Note that we use a loose definition of teleportation, referring to 
the special case where the verifier controls the classical communication between provers since in 
our protocol, there is no direct communication between provers. Moreover, using encryption and 
an authentication code, the verifier can do away with her need to store a local quantum register 
between rounds by using Pi's memory. The blindness property guarantees that no information is 
leaked to the provers, as though the verifier herself is running the quantum circuits. Repeating 
this process, we simulate V with a protocol requiring only a classical verifier, thus showing that 
L G MIP*. The overhead cost of such action is the usage of a linear (in the size of the verifier's 
quantum circuits) number of copies of entangled states l^""*") = :^(|00) + |11)) and polynomial 
classical communication. We prove that the completeness is unchanged and that the soundness 
error can be bounded arbitrary close to the original value. 

3 Preliminaries 

We assume that the reader is familiar with the quantum formalism, including the quantum circuit 
model and measurement-based quantum computing (MBQC) f RBOll [RBB031 lDKP07j . This sec- 
tion reviews the model of quantum multi-prover interactive proof systems and sketches the blind 
quantum computation protocol. 

We use the definition and notation defined in the earlier work of Kempe, Kobayashi, Matsumoto 
and Vidick [KKMV0 8J . A quantum A:-prover interactive proof system consists of a verifier V with 
private quantum register V (with one qubit designated as the output qubit) and k provers Pi , . . . , Pfc 
with private quantum registers Pi, . . . , Pk, as well as quantum message registers Mi, . . . , M^. At 
the beginning of the protocol, all the qubits in (V, Mi, ... , M^) are initialized to |0 . . . 0), and the 
qubits in (Pi, . . . , P^) are in some shared state, |$), prepared by the provers in advance (and hence 
possibly entangled). No communication between the provers is allowed after the preparation of 
this state. The protocol consists of alternating turns of the provers and of the verifier, starting 
with the verifier, if m is even, and with the provers otherwise. During the turn of the verifier, V 
applies some polynomial-time circuit to the qubits in (V, Mi, . . . , M^), and then sends each message 
register M| to prover Pj. During the turn of the provers, each Pj applies some transformation to 
the registers (Pi, Mj) for 1 < i < k and sends Mj back to the verifier. The last turn is always 
a turn for the provers. After the last turn, the verifier applies a polynomial-time circuit to the 
qubits in (V, Mi, . . . , Mk), and then measures the output qubit in the standard basis, accepting if 
the outcome is |1) and rejecting otherwise. 
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Formally, an m-turn polynomial-time quantum verifier V for fc-prover QMIP system is a polynomial- 
time computable mapping from input strings x to a set of polynomial-time uniformly gener- 
ated circuits {V^ , . . . , yr(™'+^)/2l }, and a partition of the space on which they act into registers 
(V, Ml, . . . , Mk), which consist of polynomially many qubits. Similarly, an m-turn quantum prover 
P is a mapping from x to a set of circuits {P^, ■ ■ ■ , pr(™+i)/2l j ga,ch acting on registers (Pi, Mi). No 
restrictions are placed on the complexity of this mapping or the size of Pi, however, the provers are 
limited by the linearity of quantum mechanics. Note that in our setting, circuits and P* might 
include measurements (e.g. a measurement pattern) and implement a general completely positive 
trace preserving map, and not just a unitary operator, however this is equivalent to the standard 
setting |AKN98llREBn3] . 

The protocol {V,Pi, . . . ,Pk, \ ^)) is the alternating application of provers' and verifier's circuits 
to the state |0. . .0) (g) |$) in registers (V, Mi, ... , Mk, Pi, ... , Pk). We say that {V,Pi,.. .,Pk, |$)) 
accepts X if the designated output qubit in V is measured in 1 1) at the end of the protocol and call 
the probability with which this happens Pacc{x, V, Pi, . . . , Pk,\^)). 

Definition 1. A language L is in QMIP(A;, m, c, s) if there exists an m-turn polynomial-time quan- 
tum verifier V for quantum k-prover interactive proof systems such that, for every input x: 

(Completeness) if x G L, there exist m-turn quantum provers Pi,. . . ,Pk and a shared state \^) 
such that Pacc{x, V,Pi, . . . ,Pk, \^)) > c, 

(Soundness) if x^L, for any m-turn quantum provers P{,...,P^ and any shared state |<I>'), 
Pacc{x, V, P[, . . . , Pi, 1$')) < s. (We refer to s as the soundness error. J 

We can similarly define an entangled /c-prover interactive proof system (MIP*) to be a quantum 
fc-prover interactive proof system where the verifier's private and message registers are classical, 
and with the unbounded provers performing quantum computations and having access to shared 
entanglement. Hence an m-turn polynomial-time classical verifier V for a fc-prover MIP* system 
is a polynomial-time computable mapping from input strings a; to a set of polynomial-time uni- 
formly generated classical circuits {V^, . . . , y r("^+i)/2l |^ g^^id a partition of the space on which they 
act into registers (V, Mi, ... , Mk), which consist of polynomially many classical bits. An m-turn 
quantum prover P is a mapping from x to a set of circuits {P^, . . . , pr(''"+^)/2l |^ each acting on 
registers (Mi, Pi). Circuits and P* might employ private randomness. At the beginning of the 
protocol, all the bits in (Mi, . . . , Mk) are initialized to zero, and the qubits in (Pi, . . . , Pk) are in 
some shared state, |$), prepared by the provers in advance (and hence possibly entangled). The 
remaining definition are exactly the same as for QMIP. 

Next we briefly discuss the universal blind quantum computation protocol (UBQC) |BFK09| 
which will be used in the proof of our main result. Suppose Alice has in mind a unitary op- 
erator U that is implemented with a pattern on a flxed but universal graph state with {X, Y) 
measurements with angles given as multiples of tt/4. This pattern could have been designed either 
directly in MBQC or from a circuit construction. Alice does not have the full quantum power to 
implement U, and wishes to use Bob as a resource to do so, while maintaining the privacy of her 
computation, meaning that Bob does not learn anything about the computation that he is helping 
Alice perform (except an upper bound on the dimensions of her circuit). Following |BFK09j . we 
say that such a protocol is blind if Bob's view of the protocol does not depend on Alice's input 
{X), when given an upper bound on the dimensions of her circuit (Y); since his view consists of 
classical and quantum information, this means that the distribution of the classical information 
does not depend on X (given Y) and that for any fixed choice of the classical information, the 
state of the quantum system is uniquely determined and does not depend on X (given Y). We will 
subsequently refer to this property as blindness. 

There are two stages to the protocol: preparation and computation. In the preparation stage, 
Alice prepares single qubits chosen randomly from (|0) + e*^ |1)) \ = 0, it/4, 2tt/A, . . . , Jtt/A} 

and sends them to Bob. After receiving all the qubits. Bob entangles them according to the uni- 
versal brickwork state [BFK09j . The computation stage involves interaction: for each layer of the 
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brickwork state, for each qubit, Alice sends a classical message to Bob to tell him in what basis of 
the (X,Y) plane he should measure the qubit. Bob performs the measurement and communicates 
the outcome; Alice's choice of angles in future rounds will depend on these values. Importantly, 
Alice's quantum states and classical messages are astutely chosen so that, no matter what Bob 
does, he cannot infer anything about her measurement pattern. If Alice is computing a classical 
function, the protocol finishes when all the qubits are measured. If she is computing a quantum 
function. Bob returns to her the final qubits. A modification of the protocol also allows Alice's 
inputs to be quantum. An authentication mechanism is provided; this allows Alice to ascertain 
that Bob has followed her instructions. 

One can view the UBQC protocol as an interactive proof system for any language in BQP where 
Alice acts as the verifier and Bob as the prover [BFK091 lABElOj . Moreover, the protocol can be 
adapted to the setting of a purely classical verifier who communicates classically with two noncom- 
municating entangled provers, in order to perform a blind quantum computation |BFK09j . In this 
scenario, the general idea is for one prover to be used to prepare the random qubits that would have 
been generated by Alice in the original protocol, while the other prover is used for universal blind 
quantum computation. Our main technique is the extension of this view in order to substitute a 
quantum verifier in a protocol for QMIP with a purely classical one. 

4 Contribution 

4.1 Definitions 

The main step in our construction is to design an interactive protocol with only classical commu- 
nication that replaces a turn for the verifier in a given quantum interactive proof system: the new 
protocol requires only classical resources for the verifier. The next definition captures this notion. 

Definition 2. A k-party delegated quantum computation is any protocol which accepts quan- 
tum input states stored in message registers M\ in Hilhert space Aii from each of k provers Pi, and 
classical input Cy from a verifier V, where Cy represents the classical description of a quantum 
circuit of size polynomial in log {Y\^ dim(A^j)). After Cy is applied to (Mi, . . . , M^), the protocol 
returns to each prover Pi the register Mj and returns y to V , where y is the classical result of 
measurements performed on any ancillary qubits introduced by V in Cy. The provers may share 
prior entanglement, but are not allowed to communicate during the protocol. Furthermore, commu- 
nication between individual provers and the verifier is purely classical, and the verifier is restricted 
to performing randomized polynomial-time classical computation. 

In order to provide a full simulation of the quantum verifier, we require that our protocol have 
certain properties as formalized in the next few definitions. At first glance, some of these properties 



may seem stronger than what would be required; we expand on this in Section 4.2 

Definition 3. A k-party delegated quantum computation is efficient if: 

• Given Cy, the description ofV can be computed in time polynomial in 0((]^j dim(A^j)); 

• V 's computation runs in time polynomial in 0((]^. dim(7Wj)). 

For a A;-party delegated quantum computation, we define the result of the computation to be y 
together with the final state of message registers (Mi, . . . , M^). 

Definition 4. A k-party delegated quantum computation is authenticated with parameter 5 if there 
exists a bit yo £ {pass, fail} in y such that: 

• if all parties follow the protocol, yo = pass; 

• if one or more provers interfere with the protocol then either: 

— their actions fail to alter the result of the computation and yo = pass; or 

— their actions alter the result of the computation, and except with probability at most 2"^ , they 
are detected, with yo = fail, indicating alteration. 
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In Definition [6| we give a notion of privacy in terms of a black-box functionality (defined below) 
for a multi-party delegated computation. Informally speaking, a private protocol will not leak any 
information to provers and hence such a protocol can be used for the simulation of a protocol 
for QMIP. 

Definition 5. A k-party circuit evaluation black-box is a functionality which accepts quantum 
input states from each of k provers Pi stored in message registers M\ and classical input Cy from 
a verifier V , where Cy represents the classical description of a quantum circuit. The black-box 
returns to each prover Pi the register M\ after applying Cy to (Mi, . . . , Mk). 

In the next definition, we use the notion of circuit dimensions to represent the depth and the 
width of the circuit. 

Definition 6. Let V be a k-party delegated quantum computation and B to be the k-party circuit 
evaluation black-box. For both V and B, let the verifier's input be any arbitrary circuit Cy and 
the provers' input be any states stored in Mi, . . . , M^. We say V is private if the distribution of 
information obtainable by any malicious prover Pi in V is dependent only on the dimensions of Cy 
and on the distribution of information obtainable by Pi in B. 

As defined in Section [3j in a quantum interactive proof system, the verifier has a private quan- 
tum register V, however such a scenario is not captured in our definition of a multi-party delegated 
quantum computation. The next lemma removes the requirement of quantum memory for the 
verifier during the provers' turns. In our construction, we also do away with the private quantum 
register V during each turn of the verifier: this is explained as part of the proof of Theorem [T] 

Lemma 1. Given any L G QM\P{k,m,c,s), there exists an interactive proof system for L where 
the verifier does not require quantum memory during the provers' turns and only the soundness 
error changes to s' < max{s, e}, for any fixed e > 0. 

Proof. In order to remove the requirement of quantum memory, at the end of her turn, the verifier 
encrypts and authenticates her quantum register V and sends it to one of the provers and asks 
him to return them with his message in the next turn. Both encryption and authentication can 
be achieved by applying a random error correcting code (e.g. [BCG"'"02j ). where the verifier only 
needs to store a classical key. In this way, only the soundness error might be affected: since the 
probability of not detecting a cheating player in the authentication protocol is bounded by some e 
which is exponentially small in the security parameter, we have s' < max{s, e}. □ 

4.2 Main Result 

As classical information processing is a special case of quantum information processing, trivially 
MIP* C QMIP; we prove the reverse inclusion by showing how a multi-party delegated quantum 
computation can replace the required quantum power of the verifier in a protocol for QMIP with 
only classical computing. 

There are two steps to our main result. First, we show in Theorem [T] that if an efficient, authen- 
ticated and private /c-party delegated quantum computation exists, then QMIP C MIP*. Then, we 
show in Protocol [T] how to instantiate such a A:-party delegated quantum computation protocol and 
prove that it satisfies these requirements in Theorem [2j More intuition on Protocol [T] is given after 
the proof of Theorem [TJ 

As mentioned, we have imposed some conditions on the fc-party delegated quantum computation 
protocol in Theorem [T] that are stronger than may seem necessary. We now elaborate on this. First 
of all, in a given protocol for QMIP, the verifier's circuits are public. Thus, our privacy definition 
would seem to be stronger than what is necessary as only the verifier's private register V needs to be 
hidden (we also must ensure that the protocol does not provide a covert means of communication 
between provers). However, for our instantiation of the /c-party delegated quantum computation 
protocol, the authentication property heavily relies on this strong definition of privacy; so does the 
construction that sees Pi manipulate the encrypted version of the verifier's private register V and of 
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the other provers' message registers. Secondly, the authentication definition seems stronger than re- 
quired: all we would really need to guarantee is that the result that is returned to the verifier, y, be 
correct. However, also due to the construction that sees Pi manipulate the encrypted and authenti- 
cated version of the verifier's private register V, we must have that not just y, but the register in Pi's 
hands be authenticated at each iteration of the /c-party delegated quantum computation protocol. 

Theorem 1. // there exists a k-party delegated quantum computation protocol which is efficient, 
authenticated (with parameter 6) and private then QM\P{k,m,c,s) C M\P* {k,m',c,s'), where 
s' < max{s, 2"*^} and the number of turns m! is polynomially bounded in the input size \x\. 

Proof. Recall that by Lemma [l| it is sufficient to consider a verifier with no quantum memory 
during the provers' turns (the only consequence being a potential modification of the soundness 
error; this is addressed below). 

Without loss of generality, we assume that the interaction begins with a turn of the provers. 
Hence the interactive proof can be broken down into a number of rounds polynomial in the input 
size, where in each round j: 

1. Each prover applies a quantum circuit to prepare the new state of message register Mj. 

2. Each prover Pi transmits his message register M| to the verifier. 

3. The verifier performs a computation described by circuit on (V, Mi, . . . , M^). 

4. The verifier transmits the message register Mi to each prover Pi. 

We wish to use V, a A;-party delegated quantum computation protocol, to perform the computa- 
tion and message preparation required by steps [2}^ However, V requires a fully classical verifier. 
Even with the application of Lemma [T| we must still deal with the verifier's quantum register V in 
Step [3| The solution is for the register V to always remain with Pi in an encrypted and authen- 
ticated form: V adjusts her circuits to add the encryption and authentication at the end of the 
circuit , leaving the encrypted and authenticated register V with Pi, and then circuit V^~^^ is 
adapted so that it acts on the encrypted and authenticated register. 

Using the above construction, we may now use V to perform the computation and message 
preparation required by steps [2}|4] above, yielding a verifier performing only classical randomized 
polynomial-time computation, and hence a protocol in MIP* (we specify that if yo = for any call 
to V, the verifier rejects). It remains to show that the parameters are as indicated in the statement 
of Theorem [TJ 

Clearly, the number k of provers is unchanged. Note that V is efficient, since the verifier's strat- 
egy can be computed in polynomial-time, runs in polynomial time, and requires only polynomial 
communication. Hence the resulting protocol still has a polynomial number of turns, leading to m' 
being polynomially bounded in the input size 

To see that the completeness parameter, c, is unchanged, note that if x G L, and the honest 
provers follow the protocol (including calls to V), the verifier will accept with probability c as calls 
to V always produce the correct state of the message registers. 

Finally, the soundness error, s, is affected by the following: 

1. By Lemma [l| (and setting e = 2"'^), the soundness error for the protocol with a memoryless 
verifier is < max{s, 2"''}. This is consistent also with the use of e = 2"^ as a security parameter 
for the authentication of V. 

2. Since V is private, the distribution of information gained from V by any cheating prover Pj is 
no more than that obtained through a black-box functionality and circuit width and depth of 
the verifier's computation. This is no more than what is obtainable in the original interactive 
proof, as in an interactive proof the verifier's circuit dimensions are known. Furthermore, note 
that our black-box definition of privacy precludes any leaking of information (other than circuit 
dimensions) during sequential composition, and calls to V are independent. Hence cheating 
provers cannot exploit calls to V to increase the soundness error. 

3. Since P is authenticated, any deviation from the computation leads to the verifier rejecting 
(since yo = fail), except with probability exponentially small in the security parameter 6. 
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The soundness error of the final protocol is independently affected by [T}|3] above; this leads to 
the soundness error for the final protocol satisfying s' < max{s, 2"''}. □ 

We now explicitly formulate a /c-party delegated quantum computation and show that the pro- 
tocol satisfies the conditions of efficiency, authentication and privacy required by Theorem [TJ As 
outlined in Section [2| the idea behind our construction, given in Protocol [l} is to use the blind 
quantum computation protocol |BFK09j between the verifier and entangled provers to remove the 
need for the verifier to exchange and process quantum information. 

In order to run a quantum circuit, the verifier enlists the help of two entangled provers. Pi and 
P2. Pi first receives authenticated and encrypted message registers Mi teleported from the other 
provers (the special case of authenticating Pi's own message register is also covered), and then 
the two-server blind quantum computation protocol is executed with Pi and P2: P2 helps prepare 
the required initial qubits for the UBQC protocol by performing measurements on his share of the 
entangled states, while Pi performs the actual blind computation, eventually computing the final 
states of the encrypted message registers. These registers are re-distributed (via teleportation) to 
all other provers, who then verify their authenticity with the help of the verifier. 

The input message preparation protocol (Protocol [2]) accomplishes two things: it transfers all of 
the provers's quantum message registers to Pi, and also encrypts and authenticates them so that 
no prover can extract any information, any tampering will be detected and the authentication is 
compatible with the UBQC protocol. The authentication consists of the verifier instructing the 
provers to encode their message qubits into an error correcting code, telling them which trap qubits 
to insert (these are qubits that are in a known eigenstate of a Pauli operator) , and how to permute 
the resulting states. The provers perform a teleportation measurement involving their system and 
the shared entanglement with Pi , but instead of revealing the measurement result to Pi , they send 
it to the verifier: this action transfers their encrypted message register to Pi. There is an extra 
step for Prover P2 since he is involved later on in the preparation of the initial states for the blind 
protocol: the position of trap qubits inserted by prover P2 in his message register should become 
hidden to him even after they are teleported to prover Pi , this is done in Step |4] in Protocol [2j A 
similar issue is valid for Pi's own message register: Step [5] in Protocol [2] involves P2 who applies an 
additional permutation to Pi's message register so that the position of the trap qubits remains hid- 
den to both Pi and P2. On top of this, all qubits in message registers receive random Z-rotations; 
these are necessary in order for the inputs to be compatible with the UBQC protocol (Protocol |4]) . 

At this point, the verifier, together with Pi and P2, execute the UBQC with entangled servers 
protocol (Protocol |4] in the Appendix), where the encoding and authentication is already performed, 
and where Pi provides a quantum input. More explicitly. Protocol |4] is an adaptation of the au- 
thenticated UBQC protocol with quantum input and output to the entangled servers scenario. The 
full protocol is a simple consequence of our previous result |BFK09j . 

The output message distribution protocol, Protocol|3j consists of sending the appropriate encoded 
quantum message register computed by prover Pi to provers Pj for verification and decryption. The 
authentication in our protocol ensures that both Pi and P2 are performing the required operations; 
it also ensures that Pi has sent the correct message registers to each Pj. In order to do so, the ver- 
ifier instructs each prover to make several Pauli measurements over specific qubits. Note that due 
to blindness of Protocol |4] and initial random permutation, the provers have no information about 
the location and the state of the returned trap qubits. Furthermore, the returned qubits from Pi 
are all one-time padded since the result of the teleportation measurements are known only to the 
verifier. Hence Protocol [3] reveals at most the new location of trap qubits of each prover Pj which 
is of course independent of the state of the message registers and hence the obtained protocol is 
authenticated and private. This is formalized in Theorem [2] The blindness property of Protocol [4] 
guarantees that no information is leaked to the provers, as if V herself is running the quantum 
circuits. The overhead cost of such action is the usage of a number of copies of \^^) linear in the 
size of the verifier's quantum circuits and polynomially many classical messages. 
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Protocol 1 /c-Prover Delegated Quantum Computation Protocol 



1. Using Protocol [2j the input message registers of all provers are encoded, encrypted and 
transferred to prover Pi. 

2. The verifier uses Pi and P2 and executes the Authenticated UBQC with Entangled Provers 
with Quantum Input and Output Protocol (Protocol E] in the Appendix) with the encoded 
message registers received by Pi in Step [l] (with keys k and as defined in Protocol [2]) . 

3. Using Protocol [3j the message registers resulting from the computation in Step [2] are distributed 
and verified. 



Protocol 2 Input Message Preparation Protocol 

1. The verifier chooses C, where C is some nc-qubit error-correcting code with distance dc- The 
security parameter is 5 = dc. 

2. For each prover Pi, for each qubit j in message register Mji 

(a) The verifier instructs Pi to encode qubit j using C. 

(b) The verifier instructs Pi to prepare 3nc qubits in eigenstates of Pauli operators chosen 
uniformly at random by the verifier. We refer to these as trap qubits and we refer to the 
trap qubits and the qubits used in the error-correcting code collectively as a block. 

(c) The verifier instructs Pi to apply a random permutation iTij to the block. 

(d) The verifier instructs each Pi except Pi to apply to each qubit k a random Z-rotation, 
Z{9k), with 6}. S {0, 7r/4, 27r/4, . . . , 77r/4}, independently chosen for each qubit. 

3. Each prover Pi except Pi uses the teleportation protocol to transmit their entire quantum 
message register to Pi but communicates the measurement results only to the verifier. 

4. For each block j, the verifier instructs Pi to apply a permutation TTg ^ to the qubits containing 
the result of the teleportation from P2. 

5. For each block j of prover Pi: 

(a) Pi uses the teleportation protocol to transmit his 4nc qubits to P2 but communicates the 
measurement results only to the verifier. 

(b) The verifier instructs P2 to apply a permutation tt'^ ■ to the qubits containing the result 
of the teleportation from Pi. The verifier also instructs P2 to apply to each qubit k of the 
system a random Z-rotation in Z{6k),0k G {0, 7r/4, 27r/4, . . . ,77r/4}, independently chosen 
for each qubit. 

(c) P2 uses the teleportation protocol to return the 4nc qubits to Pi but communicates the 
measurement results only to the verifier. 

Note that for each qubit, the verifier can now take into account all the received teleportation results 
as well as the Z{6k) rotations, to compute the X operation and Z-rotation that has been applied to 
the original message registers. Let these values be k^ G {0, 1} and k^ G {0, 7r/4, 27r/4, . . . , 77r/4}. 



Theorem 2. Protocol^is a k-party delegated quantum computation which is efficient, authenti- 
cated (with param,eter 6) and private for all k>2. 

Proof. If all parties follow Protocol [T| the outcome is correct; this follows from the correctness of 
the UBQC protocol. In particular, Protocols [2] and |3] serve only to encode and decode the input 
states for use in blind quantum computation (Protocol ffl in the Appendix); no information is lost 
during either of these stages, and so the correctness rehes only on the correctness of Protocol [4] 
(see the Appendix). Additionally, Protocol [l] is efficient since our construction is polynomial-time 
computable and the verifier runs in time polynomial in O (f^^ dim(A^j)). 

To show that Protocol[l]is private, we construct a set of simulators {Si, . . . ,5^} (see Figure [T]). 
Each simulator Si interacts with Pj, simulating all other participants. As Si simulates all par- 
ticipants except Pi, this implies that Si shares entanglement with Pi (as Pj, j i would) and 
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Protocol 3 Output Message Distribution and Verification Protocol 



1. For each prover Pi ^ Pi, the verifier instructs -Pi to apply a permutation vr"^ to each block j 
and then teleport the ^nin^ qubits of message register Mi to Pi. The measurement results are 
communicated only to the verifier. 

2. The verifier instructs Pi to measure each of the trap qubits in their correct basis. 

3. Pi returns the measurement results of the trap qubits to the verifier. 

4. If the verifier receives the expected measurement results for each of the trap qubits, she sets 
yo = pass. If a mismatch is found, she sets ?/o = fail- 

5. If 2/0 = pass, for each Pf. 

(a) The verifier sends Pj the one-time pad key (coming from Step l] above and from the UBQC 
with entangled servers protocol), and all permutations applied to their qubits. 

(b) Pi decrypts and decodes their message register. 



Entangled Proveis with their Quantum Registers 









Vw 




/w ■ 


■ \A/V 
w 





Classical 
Coinmunication 



Verifier with her Classical Input 




(a) Real Protocol (b) Simulation Protocol 

Figure 1: (a) A fe-party delegated quantum computation protocol, with the provers and their 
quantum registers l\/li,...,Mk and the verifier and her classical input Cy . (b) A simulation 
protocol where simulator S\ simulates all other participants P2, ■ ■ ■ ,Pk while sharing entanglement 
with Pi and only communicating classically with Pi. The simulator also has access to a black 
box Bi with input register Mi, that calls the A;-party circuit evaluation black-box B with fixed 
inputs in registers Mj for all j 7^ 1 and Cy. 



communicates classically with Pj (as V would) . Importantly, Si does not have access to any of the 
other participant's inputs, but instead has access to a single use of a black box Bi that takes as 
input a single quantum register Mj, and calls the /c-party circuit evaluation black-box B with fixed 
inputs in registers Mj for all j 7^ i, corresponding to the contents of registers Mj in the protocol, as 
well as the classical description of Cy corresponding to V^s input. Si also has access to the circuit 
dimensions of Cy. Bi calls the A:-party circuit evaluation black-box B, outputing only register Mi 
to Si (again, see Figure [T]). We show that no Pj can distinguish between an execution of the real 
protocol and an execution of the protocol with Si . It follows that the protocol is private since this 
proves that the distribution of information obtainable in Protocol [l] is dependent only on the circuit 
dimensions of Cy and on the distribution of information obtainable by Pj in B (since otherwise 
Si would not be indistinguishable). Note that we consider here perfect indistinguishability for a 
computationally unbounded Pj and that we make no restrictions on Pj's a priori knowledge. 

In what follows, we assume that Si and Pj share the same entangled states as Pj would share 
with other provers Pj {j 7^ i) in a real execution of the protocol. Recall that in the protocol, all 
communication is classical and is between Pj and V, hence this is the only communication that Si 
must simulate. 
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First, we consider the case for i > 3 and give a description for Si. In Protocol [T] the involvement 
of Pi is limited, as Pi simply teleports his authenticated and encrypted input registers to Pi (Pro- 
tocol [2]) and later receive his answer register encoded in a similar fashion (Protocol [s]) . Thus the 
strategy for Si is, following the same format as in Step [2] of Protocol [2| to instruct Pi to encode and 
encrypt his quantum input register according to a random key chosen by Si, to receive (Step [3] of 
Protocol [2]) the state by teleportation via the entanglement that Pi would normally share with Pi, 
but that Si is actually sharing with Pj. Si then decodes the state (recall that Si knows the key 
as well as the results of the teleportation measurements). This state is used as the input into the 
black-box Bi. The output is then re-encoded in a manner consistent with what is used in Protocol [3] 
and teleported back to Pj for verification. Clearly, from the point of view of Pj, his interaction with 
Si is indistinguishable from his interaction with the real protocol. 

A similar strategy works for the input and output registers are dealt with as above, with 
P2's input register used as input in the black-box 82- Again, the output is also re-encoded and 
returned to P2 as above. Additionally, in Step [5] of Protocol [2| 52 asks P2 to apply a random 
permutation to a system that remains encrypted from P2's point of view. This is indistinguishable 
from Pi's real input due to the quantum one-time pad applied by the teleportation, and thus 5*2 
need only provide P2 with the completely mixed state. 52 asks P2 to apply random Z-rotations, as 
in Step [5] of Protocol [2] Furthermore, P2 is involved in Step [2] of Protocol [T| which calls Protocol [4] 
in the Appendix. For Protocol |4j since 52 knows the dimensions of the circuit, he can choose the 
dimensions n and m of the brickwork state accordingly. As for P2 's involvement in Step [2] of Pro- 
tocol 4, he is asked to measure his part of j'l'i'^y) iii ) as usual, the difference being that the 
measurement results not used any further. From the point of view of P2, his interaction 

with 52 is indistinguishable from his interaction with the real protocol. 

To show a strategy for 5i, we analyze each step of Protocol [T] separately: 

• Step [1]. This is a call to Protocol [2j The strategy for 5i is to instruct Pi to encode and encrypt 
his quantum input register according to a random key chosen by 5i. 5i then receives (Step [5] 
of Protocol [2]) the state by teleportation via the entanglement that Pi would normally share 
with P2 , but that 5i is actually sharing with Pi . 5i then decodes the state (recall that 5i knows 
the key as well as the teleportation bits). This state is used as the input into the black-box Bi. 

• Step [2[ Here, Protocol |4] is executed. As above, since 5i knows the dimensions of the circuit, 
he can choose the dimensions n and m of the brickwork state accordingly. Due to the blindness 
of the UBQC protocol (Protocol [4] in the Appendix), the interaction involved can be simulated 
knowing only the circuit dimensions: 5i's strategy for this step is simply to instruct Pi to measure 
the brickwork state qubits with random measurement angles. Using this technique. Pi cannot 
distinguish between his interaction with the real protocol or with 5i. 

• Step [3| The output from the black-box Bi is re-encoded (in a manner consistent with what is 
used in Protocol |3]) . 5*1 then applies a Hadamard gate and subsequent Z rotation to each qubit. 
The angle of rotation for each qubit is chosen independently as a random multiple of ^. This 
system is then teleported to the correct position in the column x = n— 1 of the brickwork state via 
the entanglement established in Step [l] of Protocol |4j 5i uses the knowledge of Pi's measurement 
angles and results in order to use the last layer of the brickwork state to undo the random Z 
rotation and Hadamard on each qubit and to establish the one-time pad key on the system. 
The verification and decryption procedure is executed according to Protocol [3} 

From the point of view of Pi, his interaction with 5i is indistinguishable from his interaction with 
the real protocol. Thus, as the required set of simulators {5i, . . . ,Sk} exists, Protocol [T] is private. 

Finally, to show that Protocol [T] is authenticated, first note that if all parties follow the protocol, 
the outcome is correct as discussed above and the verifier sets yo = psss in Protocol [3] since all trap 
qubit verifications succeed. We now show that any non-trivial modification of the result of the 
computation leads to 7/0 = fsil; except with exponentially small probability in (5. As no prover has 
any information about the layout of the trap qubits (due to random permutation performed in Pro- 
tocol [2]), the probability of disturbing a trap qubit by Protocol [l] is the same as in Protocol |4j Thus 
any interference with the delegated quantum computing protocol by any group of provers can be 
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detected due to the authentication property of Protocol [4] (this is based on Theorem 7 of |BFK09| 
see also the Appendix). That is to say, in order to create an undetected error, a malicious party 
must apply an operator of weight at least 6, but as they do not know the location of the trap qubits, 
the probability of applying such an operator without disturbing a trap qubit scales as . 

Moreover, it is straightforward to verify that from the point of view of the verifier, any devia- 
tion by any number of provers in the Input Message Preparation Protocol (Protocol [2]) and/or the 
Output Message Distribution and Verification Protocol (Protocol |3]) is equivalent to a deviation 
performed by Prover 1 during the course of Step [2] of Protocol [T} or more precisely, during Step [5] 
of Protocol [4] in the Appendix. For example if the provers attempt to collectively cheat by not 
performing the required permutations, the trap qubits will be misplaced from the point of view of 
the verifier, and since in the Output Message Distribution Protocol (Protocol |3]) all the message 
registers are one-time padded, no prover can correctly produce the expected measurement result 
over the trap qubits. Therefore the verification steps will fail except in the case where the provers 
can correctly guess the expected measurement results or the permutations applied, which occurs 
only with exponentially small probability. Any other type of deviation, such as not performing 
the correct encoding of the message register, sending the wrong measurement result during the 
teleportation procedure, or incorrect preparation of the trap qubits is detected for exactly the same 
reason due to the authentication property of Protocol |4| □ 

5 Discussion 

In summary we proved QMIP[/i;] = MIP*[A;] (k > 2) based on the existence of a protocol for k- 
party delegated quantum computation which is efficient, authenticated and private. Combined 
with the results of |J JUW09] . we get that QI\/1IP[A;] = MIP*[fc] for all k. Our proof is based on novel 
techniques that give a direct simulation for a quantum interactive proof system with a classical 
interactive proof system with entangled provers. These techniques may have interesting applica- 
tions elsewhere, but do not appear to be directly applicable to the single prover setting; thus the 
relationship between our approach and that of [ JJUW09| remains an interesting question. 

We have showed how to use the power of shared entanglement between provers to replace the 
quantum communication in a protocol for QMIP. While the longstanding open problem regarding 
the relationship between QMIP and MIP is still open, our result demonstrates that it suffices to 
look at the direct relation between MIP* and MIP, forgetting QMIP altogether, and focusing the 
question to the understanding of the power of shared entanglement. 
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A Authenticated UBQC with Entangled Servers with Quantum Input and Output 

In this section, we explicitly construct the full protocol for authenticated UBQC with entangled 
servers with quantum input and output received and stored by Prover 1. This is a simple compo- 
sition and adaptation of several protocols in [BFK09| with an extra construction (Step 3g) to deal 
with the the fact that the verifier's circuit is now public knowledge. In the Protocol |4j we assume 
that at step |4| the verifier's transformed circuit is implemented with a pattern on a brickwork 
state Gnxm with measurements given as multiples of 7r/4. Each qubit \ipx,y) £ Qnxm is indexed 
by a column x G {0, . . . , n} (column consists of the input qubits and column n of the output 
qubits) and a row y e {1, . . . ,m}. Thus each qubit is assigned: a measurement angle <i>x,yi a set 
of X-dependencies Dx,y C [x — 1] x [m] , and a set of Z-dependencies D'x,y ^ — 1] x [m] . Here, 
we assume that the dependency sets Xx,y and Zx^y are obtained via the flow construction |DK06j . 
During the execution of the pattern, the actual measurement angle (/>^ ^ is a modification of (j)x,y 

that depends on previous measurement outcomes in the following way: let s-^^y = ®i^Dx,ySi be the 
parity of all measurement outcomes for qubits in Xx^y and similarly, sf „ = ®i^D'^ si be the parity 



of all measurement outcomes for qubits in Zx^y Then (f)'^ y = {—lY^^y (t)x,y + Sx,y^- 

Protocol [4] is a slight modification of the UBQC with entangled servers protocol which was shown 
to be correct in Section 5 based on Theorem 2 in jBFK09 . The only diff'erence is in Step 3g where 
several identity gates are added which does not affect the correctness. A simple modification in 
Protocol [4] ensures that the inputs are coming from the provers, without affecting the blindness 
property (Theorem 6 in |BFK09j ). Finally the extra padding structure added in Step 3g allow us to 
conveniently extend the proof of authentication (Theorem 7 in [ BFK09| ) for the case of the public 
knowledge of verifier's circuit available in a QMIP protocol. 
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Protocol 4 Authenticated UBQC with Entangled Provers and Quantum Input and Output 



1. Initial input of the protocol 

(a) Provers 1 and 2 share l^^^y) = + l^l)) for x = 1, . . . , n — 1 and y = 1, . . . ,m {n and 
m are given in step 3g below). 

(b) Prover 1 receives quantum input prepared following the Step [T] of Protocol [T] to be the first 
column of the brickwork state in the computation. These input qubits are encoded with C 
(C is some nc-qubit error-correcting code with distance dc) and 3nc qubits in eigenstates 
of Pauli operators chosen uniformly at random (called trap qubits) are added to them. The 
collection of these 4nc qubits are called a block. Moreover a random permutation is applied 
to each block and finally a one-time pad with keys k^ y Gij {0, 7r/4, 27r/4, . . . , 77r/4} and 

kQ y {0, 1} is performed on each qubit. 

(c) The permutations, the state of trap qubits and one-time pad keys are known to the verifier 
and not to provers 1 and 2. 

2. Verifier's preparation with Prover 2 

For each column x = 1, . . . ,n — 1 and for each row y = 1, . . . ,m: 

(a) The verifier chooses 9x,y £r {0, 7r/4, 27r/4, . . . , 7tt/4} and sends it to Prover 2, who measures 
his part of \<l>+y) in \±§^ J- 

(b) Prover 2 sends nix^y, the outcome of his measurement, to the verifier. 

3. Verifier's authenticated preparation 

(a) Convert target circuit Cy to fault-tolerant circuit: 

- Use error-correcting code C. 

- Perform all gates and measurements fault-tolerantly. 

- Some computational basis measurements are required for the fault-tolerant implementation 
(for verification of ancillae and non-transversal gates). Each measurement is accomplished 
by making and measuring a pseudo-copy of the target qubit: a ctrl-X is performed from 
the target to an ancilla qubit initially set to |0), which is then measured in the Z-basis. 

- Ancilla qubit wire are evenly spaced through the circuit. 

- The ancillae are re-used. All ancillae are measured at the same time, at regular intervals, 
after each fault-tolerant gate (some outputs may be meaningless). 

(b) Within each encoded qubit, permute all wires consistent with the position of non-trap qubits 
in the encoded input of Prover 1, keeping these permutations secret from Provers 1 and 2. 

(c) Within each encoded qubit, add Sht trap wires consistent with the position of trap qubits 
in the encoded input of Prover 1. The trap qubit wire (at this point) does not interact with 
the rest of the circuit. 

(d) Trap qubits are verified using the same ancillae as above: they are rotated into the 
computational basis, measured using the pseudo-copy technique above, and then returned 
to their initial basis. 

(e) Any fault-tolerant measurement is randomly interspersed with verification of Sut random 
trap wires. For this, identity gates are added as required. 

(f) For encoded qubits with classical outputs, the trap wires of the corresponding blocks are 
rotated as a last step, so that the following measurement in the computational basis is used 
for a final verification. 

(g) Convert the whole circuit above to a measurement-based computation on the brickwork 
state, with the addition of regular Z-basis measurements corresponding to the measurements 
on ancillae qubits above. Swap and identity gates are added as required, and trap qubits 
are left untouched. Further identity gates are added so that for any choice of permutation 
for each block, the resulting dimensions, n and m, of the brickwork states are identical and 
hence dependent only on the dimensions of Cy. 



14 



Protocol 4 — Continued 



4. Verifier's blind quantum computation with Prover 1 

Taking Ox^y = Ox,y + mx^yir (for x = — 1 and y = l,...,m) and 0o,?/ = (for 

y = 1, . . . , m), the verifier runs the fohowing steps to implement the authenticated measurement 
pattern constructed in Step |3] 

(a) The verifier periodically instructs Prover 1 to measure in Z as indicated in Step [sj These 
qubits are chosen at regular spacial intervals so that no information about the structure of 
the computation is revealed. 

(b) Prover 1 prepares the last column of qubits \ipn,y) = |+) (y = 1; • • • j^t-)- 

(c) Prover 1 creates an entangled state from all received qubits, according to their indices, by 
applying ctrl-Z gates between the qubits in order to create a brickwork state Qnxm- 

(d) For each column x = 0, . . . ,n — 1 and for each row y = 1, . . . ,m: 

i. Verifier computes (p'^^y with the special case (j^'oy = {~^)''°'^4'o,y 

ii. The verifier chooses rx^y £r {0, 1} and computes 6x,y = 4>'x^y + 0x,y + '^i~x,y ■ 

iii. The verifier transmits 5x,y to Prover 1. 

iv. Prover 1 measures in the basis {j+a^j^y) A—5x,y)}- 

V. Prover 1 transmits the result Sx,y G {0, 1} to the verifier, 
vi. If rx,y = 1 above, the verifier flips Sx,y', otherwise she does nothing. 

(e) The last column consists of quantum outputs together with their corresponding trap qubits, 
where all these qubits are one-time padded with keys known only to the verifier (Theorem 4 
[BFK09j ). In order to obtain a classical outcome, the verifier instructs Prover 1 to measure 
the corresponding block (a quantum output together with its trap qubits). Note that the 
output measurements are restricted to be in the {X, Y) plane so that the classical outputs 
will be one-time padded with keys fn-i^y known only to the verifier. However this is not a 
restriction as any other arbitrary measurement can be also applied by adding the required 
rotation as part of the original pattern computation. Finally also note that since trap 
qubits are inserted in each block and each block is randomly permuted, only the verifier 
knows the exact position of the output qubits. 

5. Verifier's verification 

The verifier uses the results of the trap qubit measurements performed by Prover 1 above to 
detect any deviation from the protocol. The verifier accepts only if all the results correspond 
with her initial preparation of the trap qubits, otherwise she rejects. 
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